Malware Analysis Coursework: Static & Dynamic PDF & DLL Exam
- Subject Code :
CSEC5003
Tasks to be undertaken:
In this coursework, you are expected to:
Analyse two PDF files and two specimens of malware and answer questions about the insights gained, detailing your approach with relevant evidence, e.g., screenshots, excerpts of logs, etc.
Part 1: Static and dynamic analysis of an unknown suspicious files
This is the first part of your graded coursework and is worth 42% of your total marks.
Scenario and goal
You have been provided with a set of unknown files found on a suspected infected machine on your organizations network. The goal is to perform in-depth analysis of the files and document any observable characteristics and/or behaviours.
Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses. Please provide your answers under each given question. Any references cited should be listed at the end of your report.
Environment and tools
Analyze the set of PDF files zipped within the cw_pdf_files.7z in a REMnux environment using appropriate tools. The password for unzipping is infected. Also, analyse the file unknown.file on a Windows XP virtual machine. The file should be extracted from unknown.7z with the archive password infected.
Please note that these are real malware. Which tools you use is entirely up to you. In malware analysis there is rarely one right path. Be creative and observant! However, I suggest you look at previous lab exercises and lectures slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs.
Analysis tasks
1. Retrieve the two PDF documents from the cw_pdf_files.7z archive file. Perform a comprehensive analysis of the three files and present your findings, drawing conclusions as to whether or not each of the files may be a malicious PDF document. [12 marks]
2. Retrieve unknown.7z from the archive zipped file. How would you confirm what type of file it is? What observable features of the file suggests that it may/may not be packed? Document your observations with any applicable tools of your choice. [5 marks]
3. Next, perform a basic static analysis of the malware sample (unknown.file) and document your findings. For example, what do the imports and exports tell you about the sample? Are there any interesting strings? Can you observe anything suspicious section-wise? If the sample is packed, make sure you unpack it first. [5 marks]
4. Analyse the sample (unknown.file) dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped, executed or deleted? (Hint: if you use Regshot in any phase of your analysis, set the right scan directory to C:). Support your claims with documentary evidence from tools such as RegShot, Process Monitor, etc. [10 marks]
5. Does the sample (unknown.file) exhibit any network-based behaviour? Analyse and document any observable network activities under (a) an isolated environment and (b) with the system connected online (in this exercise it is ok to let the sample talk to the outside world). Document all observable patterns in network activities using
appropriate tools and techniques. [10 marks]
Part 2: Analysis and reverse engineering of a malicious DLL
This is the second part of your graded coursework and is worth 40% of your total marks.
Scenario and goal
Your friend received an email with an attachment and proceeded to open the email. Without being careful, your friend opened the attachment and is now concerned that the system may be infected.
Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses.
Environment and tools
Analyse the file malsample.dll on a Windows XP virtual machine. Extract it from malsample.7z with the archive password infected. Which tools you use is entirely up to you. In malware analysis there is rarely one right path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs. Please provide your answers under each given question. Any references cited should be listed at the end of your report.
Analysis tasks
1. Your friend receives the file (malsample.dll) in an email attachment on their windows XP machine and accidentally double clicks the file. Is their system infected? If yes why/how? If no, why not? Explain and support your answer with evidence from dynamic analysis. [5 marks]
2. Analyse the sample dynamically and monitor its activities on the system. Outline the steps taken to execute the sample for analysis. What changes do you observe on the host? For example, is anything dropped, executed or deleted? Any other changes to the host observed? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:). Support your claims with documentary evidence. [10 marks]
3. Under which process is the malicious DLL running? What is the process ID of this process? Document your approach and show how you obtained this information. [5 marks]
4. Describe how you would setup a network analysis environment. Does the malware exhibit any network-based behaviours? Analyse and document any observable network activity in an isolated environment. How does this malware behave networkwise? [10 marks]
5. Reverse engineer the sample with IDA/IDA pro. (a) How many functions are exported by the DLL? (b) What are the addresses of the functions that the DLL exports? (c) How many functions call the kernel32 API LoadLibrary? (d) How many times is the kernel32 API Sleep() called in the DLL? (support your answers with documentary evidence, e.g., screenshots). [5 marks]
6. Navigate to the ServiceMain function. (a) Show the graph view of the function (b) The main subroutine (of the ServiceMain function) jumps to a location where the code calls the kernel32 API Sleep() right after the JZ assembly instruction. What is the value of the parameter used by this Sleep() call? [5 marks]
Part 3: Exploration of Additional Tools for Static and Dynamic Analysis
This is the third part of your graded coursework and is worth 18% of your total marks.
1. This task is to search for two additional tools, distinct from those available in the virtual machines. One tool should be used for static analysis, while the other should be for dynamic analysis. Both tools should be compatible with either Win XP or Remnux. After installing the tools, practice static and dynamic analysis using malware samples of unknown.file and/or malsample.file. Lastly, explain how the results obtained from these additional tools complement the findings from Part 1 and Part 2 of your coursework. [10 marks]
2. Presentation: organization, readability, references, quality of figures etc. [8 marks]
Deliverables to be submitted for assessment:
Written document consisting of two parts, with answers to each question provided as a separate item. Detailed answers and documentary evidence should be given under each
question. Posting final result/findings without providing appropriate evidence and analysis will not be marked. Where appropriate, references should be listed at the end of the report
and cited within the body of the report (max. 3000 words excluding figures, references, appendices, etc.).
Part 1: Static and dynamic analysis of unknown suspicious files; and Part 2: Analysis and reverse engineering of a malicious DLL need to be presented in the document.
How the work will be marked:
The questions each are scored from 0 to a maximum point indicated alongside each question, following a specific marking grid that considers the substance of each written response. There is a total of 8 marks for presentation quality (4 marks for each section). Please refer to the criteria marking grid for details of the assessment of the work.
